CVE-2018-7164

NameCVE-2018-7164
DescriptionNode.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession. This vulnerability was restored by reverting to the prior behaviour.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)jessie0.10.29~dfsg-2fixed
stretch4.8.2~dfsg-1fixed
buster, sid8.11.2~dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nodejssource(unstable)(unfixed)unimportant
nodejssourcejessie(not affected)
nodejssourcestretch(not affected)

Notes

[stretch] - nodejs <not-affected> (Only affects >= 9.x)
[jessie] - nodejs <not-affected> (Only affects >= 9.x)
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#memory-exhaustion-dos-on-v9-x-cve-2018-7164
https://github.com/nodejs/node/commit/3217e8e66fa81e

Search for package or bug name: Reporting problems